Technology support for pain management is
now available in many states through electronic prescribing
(e-prescribing) of controlled substances. Controlled agents that may be
used in appropriate circumstances for pain management are classified
under the DEA schedules II through V.1 For example, schedule
II agents include opioids with high potential for abuse. E-prescribing
of controlled substances is subject to both federal and state laws and
regulations.

The United States Drug Enforcement
Administration (DEA) has issued an interim final rule (IFR) that sets
forth a complex array of federal regulations for e-prescribing of
controlled substances.2 This rule sets minimum standards that
must be met in all states where e-prescribing of controlled substances
is allowed. State laws and regulations can set forth additional
requirements and restrictions. The DEA requires its registrants to
follow all applicable laws, including both federal and state; hence,
practitioners must also comply with more stringent state laws when
applicable.2 For example, as of 2012, some states, such as
New York, did not permit e-prescribing of controlled substances, pending
release of state regulations.3 Other states permit
e-prescribing of schedules III through V, but not schedule II agents,
and some states permit e-prescribing of all schedules II through V.4
Hence, both pharmacists and potential prescribers of electronic
controlled-substance prescriptions are encouraged to seek legal advice
about the exact status of e-prescribing laws and regulations in their
particular state.

The DEA IFR establishes stringent
requirements for all parties involved in the e-prescribing transaction
of a controlled substance to reduce the risk of fraud and diversion
while supporting legitimate e-prescribing for patients in severe pain.
The involved stakeholders include clinicians who are permitted to write
an e-prescription for controlled substances (as authorized by the DEA
and state law); organizations that issue credentials;
e-prescribing–software vendors (including electronic health record [EHR]
vendors); intermediaries and e-prescribing networks; pharmacy-software
vendors and pharmacies and pharmacists. This article reviews some of the
major requirements for stakeholders in this complex process.

Requirements for Clinicians

Clinicians who will be engaged in
e-prescribing of controlled substances must adhere to strict
requirements under the DEA IFR. Only clinicians who are DEA registrants
or exempt from registration (for example, authorized prescribers in an
institutional setting) are permitted to sign an e-prescription for a
controlled substance. Clinicians must also be authorized under state
law, as applicable, to write such prescriptions.

Clinicians must undergo identity proofing, which
might, for example, take place at a hospital credentialing office. The
clinician’s state credentials to practice and, where required, to
prescribe are confirmed to be in good standing, and his or her federal
DEA status is also confirmed. Once the identity-proofing process is
complete, the clinician will be issued a two-factor authentication
credential (see TABLE 1) provided by an organization approved by
the General Services Administration Office of Technology
Strategy/Division of Identity Management.2

In addition, under the IFR, clinicians
are permitted the option to use a private cryptographic key. A digital
certificate associated with the key must be obtained from a
certification authority that is cross-certified with the Federal Bridge
Certification Authority (FBCA). The private key associated with the
digital certificate must be stored on a hard token. This hard token
containing the cryptographic key would be one of the two required
authentication credentials. The clinician has the responsibility to
safeguard his or her authentication credentials, and may not share them
with any other individual. Furthermore, the clinician is obligated to
ensure that only e-prescribing software that has been certified through a
third-party audit to comply with all provisions of the IFR will be used
to e-prescribe controlled substances.

Clinicians are required to electronically
sign and authorize transmission of the e-prescription by applying their
two-factor authentication protocol. The act of applying the two-factor
authentication protocol, as defined in the IFR, constitutes the legal
electronic signature on the prescription. Hence, it is critical for
clinicians to safeguard their two-factor credentials to prevent
forgeries.

The DEA implemented a two-factor
authentication requirement to reduce the risk of diversion of controlled
substances. This is similar to the use of an ATM, as at a bank, where
the user must have possession of the appropriate card and must know the
pin code in order to use the card.2

Requirements for e-Prescribing Software

If a pain-management clinician wishes to
utilize e-prescribing for controlled substances, then care must be taken
to ensure that the EHR’s e-prescribing module is certified to meet all
requirements of the DEA IFR.

The DEA IFR includes an array of strict
functional requirements for e-prescribing software. Vendors are required
to pass third-party audits to certify that their software complies with
all provisions of the IFR. Only software that is certified to meet all
IFR requirements may be used to transmit controlled-substance
e-prescriptions.

E-prescribing software must

• Not permit the transmission of a
controlled e-prescription to a pharmacy unless the prescription is
properly signed electronically by a specific authorized prescriber using
a two-factor authentication protocol

• Have logical access controls in place,
either by role or name. For example, practitioners who are not legally
authorized to prescribe cannot be permitted to access the e-prescribing
functionality of the software

• Link DEA registrants to their individual DEA numbers, or approved exempt clinicians to the institutional DEA number

• Accept all data that are required to be
on a controlled-substance prescription, including: the date signed and
issued; the full name and address of the patient; the drug name,
strength, dosage form, quantity prescribed and directions for use; and
the name, address; and registration number of the practitioner.

Once a prescription is electronically
signed by the prescriber via the application of the prescriber’s
two-factor authentication protocol, the software is required to
digitally sign a copy of the prescription and archive it. This creates a
permanent record of the prescription that cannot be altered. The
application will either use its own private key or, if applicable, the
prescriber’s private key, to encrypt all the required data in the
prescription. In the event that the prescriber’s private key is to be
used to encrypt the data, the application is required to check to ensure
that the prescriber’s digital certificate is still valid. If the
digital certificate has been revoked or is otherwise not valid, then the
e-prescription is not valid and cannot be transmitted. The encrypted
archived records may be used in audits and compared against copies of
prescriptions archived in pharmacies. The application is also required
to date and time-stamp the prescription when the signing operation is
complete.2

The IFR does not specifically require that the
e-prescription be transmitted in encrypted format; however, some states
have such a requirement. For example, in New York, all e-prescriptions
are required to be encrypted during transmission.5

The application must also send data to
the pharmacy indicating that the prescription has been electronically
signed by the prescriber. However, if the prescriber has elected to use
his or her own private key to digitally sign the prescription, then this
requirement is waived because the pharmacy will apply the prescriber’s
public key to confirm that the prescription was indeed signed. This is
clearly a more secure method of verifying that the prescription was
signed, but is not mandatory. Prescribers may elect to use software that
employs either method unless there are more stringent state
requirements.

Controlled-substance prescriptions that
have already been printed are considered to be paper prescriptions and
may not be transmitted electronically, and the software is required to
enforce this provision. If the prescription is to be printed after it
has already been electronically transmitted, then the software is
required to label the printed version as a “copy not for dispensing.”
However, if the electronic transmission ultimately fails, then the
software is permitted to print the prescription with information about
the original failed transmission.

Requirements for Intermediaries or e-Prescribing Networks

There are very few specific requirements
for intermediaries or e-prescribing networks in the IFR. The most
important requirement is that intermediaries notify the prescriber if
the transmission of an e-prescription for a controlled substance to the
specified pharmacy has failed. In this instance, the intermediary is
prohibited by the IFR from converting the e-prescription into a fax. The
IFR specifically requires that the controlled substance e-prescription
must be transmitted electronically from the clinician to the pharmacy.
The required components of the prescription must not be changed or
altered by the intermediary, except that conversion from one software
version to another is permitted, so that the pharmacy software will be
able to read and import the data.2

One large national e-prescribing network,
Surescripts, has developed a formal process for both prescribers and
pharmacies to ensure that only certified software (as confirmed by
third-party audits) is permitted to process controlled-substance
e-prescriptions via their network. Surescripts also confirms that the
prescription either has been digitally signed by the prescriber or that
the flag indicating the fact that it has been signed is present.6

Requirements for Pharmacy Software

Pharmacy software is required to be
audited by a third party to ensure that it complies with all
requirements of the IFR. The software must properly import, store, and
display the information that is required to be on a controlled-substance
prescription. In the situation where the prescription has been
digitally signed by the prescriber using his or her private
cryptographic key, the pharmacy software must be able to apply the
prescriber’s public key to confirm that the prescription was, in fact,
signed. In this instance, the software must check to verify that the
prescriber’s digital certificate is still valid and has not been
revoked. Otherwise, the software must be able to read and/or display the
transmitted flag indicating that the prescription was signed. The
software must retain the full DEA number of the prescriber. On receipt
of a controlled-substance e-prescription, the software must digitally
sign the prescription (this may also be done by the last intermediary,
such as the final intermediary for a pharmacy chain). The digitally
signed prescription must then be archived by the software. This archived
version may be used in audits. The pharmacy software must have logical
access controls that restrict access by name or role. The software must
store all applicable dispensing information, such as the number of units
dispensed. It must also have an internal audit trail, and must perform
automated internal audits and provide reports of incidents to the
pharmacist. All records must be backed up daily and stored for a minimum
of 2 years.2

Requirements for Pharmacies and Pharmacists

Pharmacies and pharmacists are permitted
to process and fill e-prescriptions for controlled substances only if
their software has been certified by a third party as meeting all
requirements of the DEA IFR. Pharmacists are not permitted to fill the
e-prescriptions if their software is noncompliant in any aspect with the
IFR. In addition, the pharmacy must have logical access controls in
place so that only authorized employees are able to annotate or alter
the controlled-substance e-prescriptions (as legally permitted) on the
system. When a pharmacist would normally need to annotate a prescription
in the normal course of filling a controlled-substance prescription,
the IFR requires that the annotation be done electronically and stored
electronically. If a pharmacist receives an oral or paper prescription
that was originally electronically transmitted but failed, the
pharmacist is required to check with the original pharmacy to ensure
that the prescription was not received and filled.2

Conclusion

Although the requirements outlined for
the stakeholders in the e-prescribing process are quite complex, they
are designed to reduce the risk of fraud and diversion, while at the
same time enhancing the technical support for e-prescribing of
controlled substances when legitimately prescribed for patients
experiencing severe pain.

5. New York State Department of
Education, Office of the Professions. Regulations of the commissioner.
Part 63, Pharmacy. §63.6.a.7.ii.b. Updated October 15, 2012.
www.op.nysed.gov/prof/pharm/part63.htm. Accessed December 26, 2012.

U.S. Pharmacist is a monthly journal dedicated to providing the nation's pharmacists with up-to-date,
authoritative, peer-reviewed clinical articles relevant to contemporary pharmacy practice in a variety of settings,
including community pharmacy, hospitals, managed care systems, ambulatory care clinics, home care organizations,
long-term care facilities, industry and academia. The publication is also useful to pharmacy technicians, students,
other health professionals and individuals interested in health management. Pharmacists licensed in the U.S. can earn
Continuing Education credits through Postgraduate Healthcare Education, LLC, accredited by the Accreditation Council for Pharmacy Education (ACPE)
as a provider of continuing pharmacy education.